Security News > 2020 > October > Microsoft Says Iranian Hackers Exploiting Zerologon Vulnerability
The Iran-linked threat actor known as MuddyWater is actively targeting the Zerologon vulnerability in Windows Server, Microsoft warns.
According to Microsoft, one of the latest changes in the group's tactics is the adoption of exploits for Zerologon, a Netlogon remote protocol vulnerability that was addressed in August 2020.
"MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit in active campaigns over the last 2 weeks. We strongly recommend patching," Microsoft said on Twitter.
The patching of this vulnerability will be done in two stages, Microsoft has revealed.
Last week, Microsoft also announced that the exploitation of Zerologon is now being detected by Microsoft Defender for Identity and Microsoft 365 Defender.
News URL
Related news
- Azure Service Tags Vulnerability: Microsoft Warns of Potential Abuse by Hackers (source)
- Iranian MOIS-Linked Hackers Behind Destructive Attacks on Albania and Israel (source)
- Microsoft links North Korean hackers to new FakePenny ransomware (source)
- Microsoft Uncovers 'Moonstone Sleet' — New North Korean Hacker Group (source)
- Microsoft Issues Patches for 51 Flaws, Including Critical MSMQ Vulnerability (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-08-17 | CVE-2020-1472 | Use of Insufficiently Random Values vulnerability in multiple products An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). | 5.5 |